Dilemma of the day:
Aaron Birnbaum
Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA Thoughts, opinions, rants, etc. are my own and are in no way affiliated with any employer/partner/contractor/babysitter/relative
#1 - For the record I am absolutely against the exploitation of children.
#2 - I am also in favor of due process and a fair trial.
#3 - I am not sure how I feel about this situation.
Essentially the article at the bottom is about the fact that the US Gov't has allegedly been able to 'crack' TOR technology with some proprietary code and/or method (well smack my butt and call me surprised!).
TOR was never meant to be a way to hide criminal activity, it was meant to provide an 'anonymity' network, which would require a lot of time and resources to find the 'dissident' or news reporter.
From Wikipedia: Using Tor makes it more difficult to trace Internet activity to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". Tor's intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities unmonitored.
Note that it never says 100% anonymous, it says 'makes it more difficult'. Kind of a big difference there. I know there are a number of papers out there that discuss methods for this in depth, and I have a friend who has seen one method used (Note: If you really think that TOR is 100% effective in hiding you, then I have a lovely bridge on sale now).
BACK TO BUSINESS: In the trial for some very bad people, the Dept of Justice (DOJ) was able to identify some individuals and servers by use of a "network investigative technique," (NIT) while many security experts have dubbed it as "malware."
In order to keep their 'secret', the DOJ would not tell/explain/inform/educate HOW the NIT worked and allowed them to identify the 'alleged' criminals. They have dropped similar cases in the past, rather than disclose the means by which they have been able to identify the individuals.
The DOJ has stated: "Disclosure is not currently an option."
In 2016, US District Judge Robert Bryan ordered the government to hand over the NIT's source code. Since that May 2016 order, the government has classified the source code itself, thwarting efforts for criminal discovery in more than 100 related cases that remain pending.
So....Here's my problem: You have the capability to stop 'certain illegal activities' and arrest the people behind it. But you won't let the prosecution proceed, because the 'secret' might get out? You dedicate the manpower and money to stopping things and then....?!
Ummmm....anyone else have an issue with this, or is it just me? Why can't you get a vetted 'expert' to review the code, and verify that the NIT is legitimate? It seems to me that there has to be a lawyer or two out there that could fit this criteria. Just like an 'expert' reviews attorney or doctor communications to make sure that client-confidentiality is not voided, we should have a system to deal with this.
Or, option B: We let these criminals off with no repercussions, and the abuse and exploitation continues. Why bother arresting them? Just shut down the site.
If there are any attorneys out there that have some insight to this, I would love to hear from them.
#computersandtheinternet #cybersecurity #infosec #security #computersecurity #informationtechnology #abrants #tor #moralDilemna
https://www.technologyreview.com/s/615163/a-dark-web-tycoon-pleads-guilty-but-how-was-he-caught/